Hermann Schwärzler | 31 Jul 10:55 2015
Picon

Deny with status 429 not possible?

Hi everybody,

we are having a problem with a badly written web-application, that
consumes all of the connections of its database pool because a crawler
is hitting it too fast.
As neither the developer of the app is reachable nor the crawler is
able/willing to slow down within the next days I wrote some mod_security
rules to allow only every 4th request coming from the crawler.

So far so good. That works perfectly and I am glad to have mod_security
installed!

I tried to deny the requests with an HTTP-status of
"429 Too Many Requests"
by adding "deny,status=429" to the corresponding rule.

In the apache error_log I see
 ModSecurity: Access denied with code 429 (phase 2).
But in the access_log and on the client I get a response code of 500.

Why is the response code changed to 500?

I am using
ModSecurity for Apache/2.8.0
 APR compiled version="1.3.9"; loaded version="1.3.9"
 PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
 LUA compiled version="Lua 5.1"
 LIBXML compiled version="2.7.6"

on a server with
(Continue reading)

Phil Daws | 27 Jul 13:12 2015
Picon

Patch application issue

Hello:

have pulled down the nginx_refactoring branch and attempted to merge the pull request for the headers but
receiving the following error:

[compuser <at> centos7-build modsecurity]$ curl -L
https://github.com/SpiderLabs/ModSecurity/pull/826.patch | git am
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0previous rebase directory
/home/compuser/nginx/nginx-1.9.3/modsecurity/.git/rebase-apply still exists but mbox given.
100   148    0   148    0     0    185      0 --:--:-- --:--:-- --:--:--   185
  0     0    0  3908    0     0   2673      0 --:--:--  0:00:01 --:--:-- 24425
curl: (23) Failed writing body (188 != 1370)

Is that pull request still valid ?

Thanks, Phil

(null)

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

(Continue reading)

Gary Hull | 27 Jul 13:48 2015
Picon

A folder is being deleted and I need to white list it ... How

I am on the Bluehost VPS. 

I am a rookie dealing with ModSecurity.

On one of our websites we have an application folder that ModSecurity is deleting every 24 hrs.

The folder should be Ok as we know the people who wrote the content.

What information does someone need in order to help me white list that folder so the this site will stay up.

What log file will the information be in.  I have looked through the log files that I can find and do not find any paths for the deleted folder.

Thanks for any help anyone can be.
--
Gary Hull
337-515-2114

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

I have a question:nginx1.9.2 with modsecurity2.9 in reverse proxy-mode

Hi!

   I try to use nginx1.9.2 with modsecurity2.9 in reverse proxy-mode to protect my Web App. The .js/.css/.png what in my Web App can't be response to the client. But the .html files are OK. There will be a lot of errors in the log like these:

 

2015/07/27 15:52:06 [notice] 17130#0: start worker process 17284

2015/07/27 15:52:06 [notice] 17130#0: signal 29 (SIGIO) received

2015/07/27 15:52:06 [notice] 17130#0: signal 17 (SIGCHLD) received

2015/07/27 15:52:06 [alert] 17130#0: worker process 17281 exited on signal 11 (core dumped)

2015/07/27 15:52:06 [notice] 17130#0: start worker process 17286

2015/07/27 15:52:06 [notice] 17130#0: signal 29 (SIGIO) received

2015/07/27 15:52:06 [notice] 17130#0: signal 17 (SIGCHLD) received

2015/07/27 15:52:06 [alert] 17130#0: worker process 17276 exited on signal 11 (core dumped)

2015/07/27 15:52:06 [notice] 17130#0: start worker process 17288

2015/07/27 15:52:06 [notice] 17130#0: signal 29 (SIGIO) received

 

When I delete the configurations of modsecurity in nginx.conf, the Web App can work normally.

 

Thanks for your help!

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Neha Chriss | 23 Jul 01:43 2015
Picon

Advice on Whitelisting JSON ARGS_NAMES

I want to whitelist alerts for a json formatted ARG_NAMES, and I'm not quite sure what the best method is. Here's my current rule:

SecRule ARGS_NAMES:"(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)" "(.*)" "id:308,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.*;ARGS_NAMES:(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)"

As you can see it's a bit unwieldy, and it doesn't seem to match for all cases/combinations of fields. The second requirement I have is to restrict this via URI, in this case '/new/data'.

Any comments appreciated.


Here's an alert below:


2015-07-22T22:02:03.61377 [Wed Jul 22 22:02:03.613737 2015] [:error] [pid 14702:tid 140281273739008] [client 10.72.2.5] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:981257-Detects MySQL comment-/space-obfuscated injections and backtick termination-OWASP_CRS/WEB_ATTACK/SQLI-ARGS_NAMES:{"data":{"categories":[{"uuid":"10009","name":"Books","folder":"School"}],"category_ids":["188"],"transaction_ids":["ed529b9f47ee-ab23-5b98-4404-d59a86b9","ed529b9f47ee-ab23-5b98-4404-d59a86b9","ed529b9f47ee-ab23-5b98-4404-d59a86b9"]}}. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 20, SQLi=4, XSS=0): Last Matched Message: 981243-Detects classic SQL injection probings 2/2"] [data "Last Matched Data: ,\\x22name\\x22:"] [hostname "host.name.com"] [uri "/new/data"] [unique_id "VbAS2wobA80AADluSjYAAADw"]
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
cb bx | 9 Jul 15:07 2015
Picon

modsecurity-console download not found

Hi

I want to download modsecurity console for the linux centos-7 I googling the same but not found any tar.gz for the  same.

If you know any source then let me know the link for the same.
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Absol - Assistenza Tecnica | 9 Jul 09:30 2015
Picon

Block IP with mod_security on Windows

Hi everyone,
I'm doing some experiment on a webserver WIndows+Apache using mod_security to prevent Dos/DDos attacks.

The main problem I'm facing here is that, without IPTables, a lot of the guide on the internet are pretty useless.
So far I managed to have this code on my modsecurity.conf:

SecRule REQUEST_BASENAME "!(\.avi$|\.bmp$|\.css$|\.doc$|\.flv$|\.gif$|\
                            \.htm$|\.html$|\.ico$|\.jpg$|\.js$|\.mp3$|\
                            \.mpeg$|\.pdf$|\.png$|\.pps$|\.ppt$|\.swf$|\
                            \.txt$|\.wmv$|\.xls$|\.xml$|\.zip$)"\
                            "id:1,phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.requests=+1,expirevar:ip.requests=1"

SecRule ip:requests " <at> eq 5" "id:4,phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"

But I just tried with LOIC and it seems not to work (there's nothing in my log file/folder and I still can access the website).

Before that I had a different set of rules:

# if there where more than 5 requests per second for this IP
# set var block to 1 (expires in 5 seconds) and increase var blocks by one (expires in an hour)
#SecRule ip:requests " <at> eq 5" "id:2,phase:1,pass,log,setvar:ip.block=1,expirevar:ip.block=5,setvar:ip.blocks=+1,expirevar:ip.blocks=3600"

# if user was blocked more than 5 times (var blocks>5), log and return http 403
#SecRule ip:blocks " <at> ge 5" "id:3,phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"

# if user is blocked (var block=1), log and return http 403
SecRule ip:blocks " <at> eq 1" "id:4,phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"

With those rules I managed to have a file in the log folder with the IP that should be blocked, but nothing happens to them, they still can access the test website just fine.

Do you have any hints on how to do that?
Is there something I'm missing/doing wrong with this configuration?

Thanks a lot and have a nice day.
Edoardo
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
don magnify | 8 Jul 16:41 2015
Picon

MULTIPART_DATA_BEFORE

hi all...

can anybody please explain what exactly MULTIPART_DATA_BEFORE would mean and how a programmatically created form submission on the wonderful windows .NET framework would be tripping it?

thanks... 
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Gyana Ranjan Panigrahi | 8 Jul 14:27 2015
Picon

Few suggestions required for Implementing Mod Security In My Application

Hi,
I have an application with tomcat server is integrated on it.
I want to implement ModSecurity in my Application.
So can it be possible to implement Modsecurity without Apache httpd service or httpd is must??
Is it recomended to go with JNI based approach ??I found the link i.e(https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-for-Java---BETA-Testers-Needed/) to go with JNI based approach it says it s Beta.
So what is the best way to Implement Modsecurity with my Application with tomcat server running?
Can someone suggest me the best approach to go for??





--
Best & Regards
Gyana Ranjan Panigrahi











------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Michael Haas | 2 Jul 13:12 2015
Picon

SecUploadKeepFiles + inspectFile

Hello,

In 2.9 when SecUploadKeepFiles is Off the inspectfile ist not working anymore. With Relevantonly and "on" its working.
In 2.7 and 2.8 it was also working with Off.
Is this an intended change or a bug?

Thanks in Advance
Michael

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Daniel Butcher | 1 Jul 14:06 2015
Picon

Integrating CAPTCHA

I am looking to install mod-security to prevent harvesting attacks. I would like to present Google reCAPTCHA to the client/user if we detect a potential attack, to enable real/human users to continue to the desired page.

Is this possible?

Regards

Dan
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane